The question buyers are actually asking
The framing of "is this tool GDPR-compliant?" has shifted over the last 18 months. Until roughly 2023, the buyer's working definition was: can I configure this tool to clear a GDPR audit? That bar has been moveable on almost any monitoring product because configurability is the cheapest feature a vendor can ship. The newer framing — and the one that now decides procurement outcomes in regulated buyers — is: does the tool ship GDPR-compliant in its default state?
The difference matters for three reasons. First, GDPR Article 25 — data protection by design and by default — explicitly places the design-stage burden on the controller (the employer) and, by Article 28 chain, on the processor (the vendor). The "by default" obligation is not a setting; it is a state of the product as shipped. Second, every additional configuration step the buyer takes to make the tool compliant is an additional artefact the buyer has to document in the DPIA, an additional point of staff training, and an additional drift risk at every policy refresh. Third, employees and works councils now read default state as a signal of the vendor's category placement — see our productivity intelligence platform vs employee monitoring category split for the broader framing.
The 5 default-state failures in current monitoring software
Below are the five default-state patterns that most commonly break GDPR Articles 5, 6, and 25 in the current monitoring-software category. Together they form the audit pattern that DPAs — France's CNIL, Italy's Garante, Ireland's DPC, the Netherlands AP — have cited in the highest-profile enforcement decisions of 2022 to 2025. [needs-legal-review]
Failure 1 — Default-on screen capture
Most monitoring tools ship with screen capture enabled in the default policy template, often configured for continuous or short-interval sampling. The Italian Garante and the French CNIL have both treated default-on continuous screen capture as disproportionate under Article 6(1)(f), with the Garante's 2022 NTT Data decision and CNIL's series of monitoring fines spelling out that the burden falls on the employer to demonstrate the necessity of each captured frame. Sampled, event-triggered, work-hours-only capture with sensitive applications masked is the defensible pattern — and the default state of most tools is the inverse.
Failure 2 — Default-on keystroke logging
Keystroke logging is the clearest default-state breach. Continuous keylogging captures content far in excess of any productivity purpose, fails the data-minimization principle in Article 5(1)(c), and on most analyses fails the proportionality limb of Article 6(1)(f). Several enforcement decisions through 2023 to 2025 have specifically named keystroke logging as the trigger feature. The 2026 procurement-side response is straightforward: keystroke capture should be disabled in the default policy template, and enabling it should require a documented purpose, role scope, and audit trail. Our alternative-to-keystroke-tracking guide walks through the metadata-first capture patterns that achieve the same operational purpose without the keystroke layer.
Failure 3 — Default individual-level signal aggregation
Most monitoring tools default the manager dashboard to individual-level signal — person A's idle minutes, person B's keystroke rate, person C's last screenshot. EDPB Guidelines 4/2019 are explicit that the necessity test in Article 6(1)(b) and the proportionality limb of 6(1)(f) require the controller to default to the least-intrusive aggregation that meets the purpose. Team-level aggregation is generally defensible; individual-level is generally not, unless the purpose specifically requires it and the necessity is documented. Default-individual is the inverse of what Article 25 requires by design.
Failure 4 — Default content-aware monitoring rules
Many enterprise monitoring tools ship with content-aware rules templates enabled — prohibited-term detection, exfiltration-pattern alerting, OCR-based screen-content matching. These features are the closest to insider-threat DLP and may be defensible when the controller's purpose is specifically insider-threat investigation, the legal basis is established, the DPIA is current, and the works council has consented where required. But shipping them on by default, in a generic monitoring tenant whose advertised purpose is productivity tracking, fails purpose limitation under Article 5(1)(b) — the captured content exceeds the stated purpose. The 2026 default-state expectation is that DLP-style rules ship disabled and require a separate purpose statement to enable.
Failure 5 — Default retention measured in months or years
Article 5(1)(e) — storage limitation — requires that personal data be kept no longer than necessary for the stated purpose. For productivity and time-tracking data, national DPAs have repeatedly indicated that retention measured in weeks or a few months is the defensible band, with longer retention only where a separate legal obligation (payroll, dispute resolution) applies. The default retention setting on most monitoring tools sits in the 1-year-plus band, often with "indefinite" or "until manual deletion" as a configurable option. The default-state breach is that the buyer has to actively dial retention down, rather than the vendor having shipped a minimal default with optional extension.
Why "configurable" is not the same as "compliant by default"
Every monitoring vendor's marketing page now uses the word "configurable." It is true, and it is necessary, and it is not the same as compliance by default. Three gaps remain even after a buyer dials the defaults down.
The Article 25 breach happens at the design stage, not the configuration stage. GDPR Article 25 places the data-protection-by-design obligation on the controller (the employer), and through the Article 28 processor chain, on the vendor. The vendor's design choice — what ships in the default tenant — is the relevant artefact. A buyer who reconfigures a surveillance-forward default is fixing a downstream symptom, but the design-stage breach has already happened. Several DPAs have signalled that they will read this distinction more strictly in 2026 and beyond.
Configuration creates ongoing drift risk. Every new tenant, every policy template refresh, every staff turnover in the IT or compliance team is a chance for the surveillance-forward default to creep back. The buyer that fixed the default in 2024 has to fix it again in 2025 when the vendor pushes a template update, and again in 2026 when a new admin re-creates the tenant. Default-compliant tools do not have this drift risk because the floor is set by the vendor, not by buyer discipline.
The buyer's DPIA artefacts are easier to assemble on a default-compliant tool. The DPIA under Article 35 has to document the configured state, the necessity for each enabled feature, the proportionality balancing test, and the safeguards. On a tool that ships default-compliant, the DPIA is mostly "what did we additionally enable, and why?" On a tool that ships surveillance-forward, the DPIA is "what did we disable, why is the remaining capture still proportionate, and how do we prevent the default from creeping back?" The second DPIA is materially longer, more fragile, and more expensive to maintain. Our GDPR-compliant employee monitoring 25-point checklist covers the DPIA workflow in detail.
How to read a vendor DPA in 2026
The fastest test for whether a monitoring tool is GDPR-compliant by default is the vendor's data processing agreement and default policy template. Five questions cut through the marketing layer:
| Question | Default-compliant answer | Surveillance-forward answer |
|---|---|---|
| What is the default state of screen capture in a new tenant? | Off. Enable per role with documented purpose and audit trail. | On. Continuous or short-interval sampling. |
| What is the default state of keystroke capture? | Off. Not available outside specific insider-threat purposes. | On. Configurable per project. |
| What is the default aggregation level of the signal layer? | Team-level. Individual-level requires documented justification. | Individual-level. Manager dashboard shows per-person stream. |
| What is the default retention period for raw capture? | 30 days or less. Extension requires separate legal basis. | 1 year or more. Often configurable to "indefinite." |
| Where in the DPA is EU residency named? | Default clause in the standard DPA. EU/EEA hosting is the deployment default. | Negotiated addendum on request. Standard DPA is region-agnostic. |
A tool that produces the right-hand column answers can still be made GDPR-compliant through configuration, but it cannot be called GDPR-compliant by default. The Article 25 breach has already happened at the design stage and the buyer is reconfiguring around it.
What GDPR-compliant-by-default monitoring actually looks like
The vendor shape that meets the by-default standard inverts every row of the table above. Capture features ship disabled and require documented justification to enable. Signal aggregation defaults to team-level. Retention defaults to a short window measured in days or weeks. The DPA's standard clause names EU residency. The default policy template, when a fresh tenant is provisioned, satisfies Articles 5, 6, and 25 without any buyer configuration — extra configuration is for the additional features the buyer chooses to enable, not for fixing what the vendor shipped.
The category placement of this vendor shape is no longer "employee monitoring software" in the traditional sense. It is closer to a productivity intelligence platform that includes optional monitoring features, which is the procurement-side framing that has dominated regulated-buyer RFPs since H2 2025. See our productivity intelligence platform vs employee monitoring piece for the full 7-point category split, and our GDPR-compliant employee monitoring tools 7-point procurement filter for the vendor-shortlisting workflow.
The buyer-side implication
For DPOs and procurement teams writing 2026 monitoring-software RFPs, the actionable change is to add a "default state" section. Two paragraphs are enough. The first asks the vendor to attach the default policy template that ships with a new tenant. The second asks the vendor to confirm in writing whether each capture feature, signal aggregation level, retention period, and data-residency clause is on/off, individual/team, days/years, contractual/configurational in that default state.
The vendor's answers will land them on the default-compliant side of the line or the surveillance-forward side. Both can technically clear a GDPR audit after configuration. Only one of them ships compliant on day one — and that is the one that will compress the procurement cycle, reduce the DPIA workload, and survive the next round of EDPB guidance without a re-architecture.
Free: CISO Procurement Checklist for AI Productivity Vendors
10 questions every CISO should ask before signing — data residency, DPIA, AI auditability, breach SLA, retention, SCIM/SSO, sub-processors, right to audit. Includes scoring rubric and pass / hold / walk thresholds.
Further reading on gStride
- GDPR-compliant employee monitoring — 25-point checklist
- GDPR-compliant employee monitoring tools — 7-point procurement filter
- Productivity intelligence platform vs employee monitoring — the 7-point category split
- EU AI Act & employee time tracking — compliance checklist
- Explainable AI under GDPR Article 22 — the employee-surface obligation
- Alternatives to keystroke tracking — metadata-first capture
- CISO procurement questions for AI productivity vendors
- gStride security and compliance posture
Free: 5-Signal Productivity Self-Audit Worksheet
30-min audit on your team. Focus depth + commit cadence + meeting load + flow-state + blocker recovery. PDF + Google Sheets calc. For Ops Heads, Founders, Eng Managers.
Frequently asked questions
Is employee monitoring software GDPR-compliant by default?
Almost no employee monitoring software in the current market is GDPR-compliant by default in its standard policy template. Default-on screen capture, default-on keystroke logging, default-on content-aware rules, default individual-level signal aggregation, and default retention periods measured in months or years all fail one or more of GDPR Article 5 (data minimization), Article 6 (proportionality limb of legitimate interests), and Article 25 (data protection by design and by default). Compliance becomes possible after the buyer reconfigures the defaults — but the default state itself fails the test, which is exactly what GDPR Article 25 was written to prevent. [needs-legal-review]
What does GDPR Article 25 require monitoring vendors to ship by default?
Article 25 — data protection by design and by default — requires controllers to implement "appropriate technical and organisational measures" that ensure, by default, only personal data necessary for each specific purpose is processed. For monitoring software, the practical reading is: capture features that exceed the minimum necessary should ship disabled, the buyer should have to actively enable each one against a documented purpose, and the platform should produce an audit trail of that enable action. Most monitoring tools currently invert this — capture defaults to enabled, and the buyer has to actively disable. EDPB Guidelines 4/2019 on Article 25 are explicit that the default state has to be the data-protective state, not the maximally-capturing state.
If a monitoring tool is configurable, can I make it GDPR-compliant?
Configurable is necessary but not sufficient. Three gaps remain even after a buyer dials the defaults down. First, Article 25 is breached at the design stage by the vendor, not at the configuration stage by the buyer — the buyer inherits the breach when the tool is deployed. Second, configuration creates ongoing compliance overhead: every new tenant, every policy template refresh, every staff turnover in IT is a chance for surveillance-forward defaults to creep back. Third, the documented justification, audit trail, and FRIA artefacts that the buyer needs to defend the configured state are easier to assemble on a tool that ships GDPR-compliant defaults than on one that needs reconfiguration. Configurable is the floor; defaults-compliant is the ceiling.
Which GDPR articles do default-on screen capture and keystroke logging breach?
Default-on screen capture and keystroke logging breach at least three GDPR articles in most current monitoring deployments. Article 5(1)(c) — data minimization — because continuous capture exceeds the minimum data necessary for productivity purposes. Article 6(1)(f) — proportionality limb of legitimate interests — because the EDPB and multiple national DPAs have ruled continuous capture disproportionate to the stated purpose. Article 25 — data protection by design and by default — because the default state of the tool is the maximally-capturing state, not the data-protective state. Several enforcement decisions through 2022 to 2025 have specifically named these features as the trigger. [needs-legal-review]
How does the EU AI Act change the default-state analysis?
The EU AI Act (Regulation 2024/1689) adds a second layer on top of the GDPR Article 25 default-state analysis. Workplace monitoring AI used to evaluate, allocate tasks to, or monitor employees is high-risk under Article 6 of the AI Act. The conformance documentation, FRIA template, transparency notice, human oversight, and bias-and-accuracy testing required for high-risk systems are much easier to satisfy when the underlying tool ships GDPR-compliant defaults. A surveillance-forward default state means the buyer is documenting compliance work across both regulatory tracks simultaneously. Enforcement opens 2 August 2026.
Does the by-default analysis apply outside the EU?
The Article 25 framing is GDPR-specific, but the underlying principle — that the vendor's default state matters as much as the configured state — applies more broadly. UK GDPR mirrors Article 25 directly. The Swiss revFADP includes a data-protection-by-design obligation in Article 7. Quebec's Law 25 in Canada includes a privacy-by-default obligation in section 9. Several US state privacy laws (Colorado, Connecticut, California with the 2026 CPRA amendments) move in the same direction for consumer data and read across to employee monitoring through reasonable-expectation-of-privacy doctrine. The by-default question is rapidly becoming a global procurement filter.
See a productivity intelligence platform that ships GDPR-compliant by default
Capture features off by default. Signal aggregated to team-level by default. Retention defaulted to 30 days. EU residency as a default DPA clause. Walk the five default-state questions against a 15-minute live tour.
Book a 15-min demo Read the 25-point checklistThis article is a general educational reference, not legal advice. GDPR interpretations evolve through new EDPB guidance, national DPA decisions, and court rulings — and Article 25 application in particular is the subject of active enforcement development through 2026. Verify each point with a qualified DPO and counsel before relying on it. [needs-legal-review]